Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

4.
Networking Directions
●
Performance of IP network controls needs to be
improved.
●
Hit by per­packet lookups for security context of
port and IP addresses.
●
IBM did some work on an RCU cache, needs
further investigation.
●
May be replacing IP packet hooks anyway.

9.
Leveraging IPsec III
●
Useful for MLS networking, suitable for LSPP
(B1) and beyond.
●
Not compatible with IP options schemes.
●
More generally useful for extending SELinux
across the network.
●
Control communication between processes on
different systems.

11.
Remote Attestation
●
Use of TPM and associated hardware to
cryptographically verify system from boot.
●
IBM Integrity Measurement Architecture (IMA).
●
Requires protocol which queries TPM with
nonce; TPM signs measurement list and nonce.
●
SELinux policy could be used to require that the
remote system is attested before some other
communication.

12.
Cryptographic Policy
●
SELinux policy could be extended to express
more general cryptographic policy.
●
e.g. foo_t file must be stored with X encryption,
and only transmitted by local admin_t to remote
admin_t on trusted hosts with Y encryption and Z
authentication on the wire.
●
May also require use of specific crypto device or
software.

13.
Distributed Policy
●
Mechanism for distributing and synchronizing
policy within a security realm may be useful
when using distributed MAC.